New PHP Vulnerability Found

Monday Jul 22nd 2002 by Jim Wagner

POST requests in PHP 4.2.0 and 4.2.1 leave networks open for remote and local hacks. Users should upgrade to 4.2.2 immediately.

An input-checking vulnerability in PHP that opens the door for hackers to gain Web server access has been patched Monday and users are urged to update as soon as possible.

The patch, found at the PHP.net Web site, corrects the POST parser method in the software standard, which looks at the incoming traffic's headers and allows or rejects the data.

As a result, according to programmers, the vulnerability allows hackers to gain "privileged access" to the Web server in some cases -- letting them either grab the information for their own use or to crash the system.

The only workaround for 4.2.0 and 4.2.1 users is to shut down all incoming POST requests, which administrators are encouraged to do until the patch is implemented.

According to Stephen Esser, a software developer at e-matters.com, he found the vulnerability while putting together an application that processed MIME headers as part of the program.

He said, in his report to PHP.net., the new versions of 4.2 (which featured a revamped multipart/form-data POST handler) allow some incoming traffic to inadvertently get added to the list of allowed MIME headers -- a process that gives hackers a way through the back door.

"A malformed POST request can trigger an error condition, that is not correctly handled. Due to this bug it could happen that an uninitialised struct gets appended to the linked list of mime headers," he reported. "When the lists gets cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialisation those pointers contain stuff that was left on the stack by previous function calls."

The bug affects both IBM and Linux machines running the software.

Mobile Site | Full Site